summaryrefslogtreecommitdiff
path: root/projects/wolfssl_options.h
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2016-03-29 18:50:12 -0400
committerJay Satiro <raysatiro@yahoo.com>2016-03-29 18:50:12 -0400
commit27c99a37ba55a78e3227c7058cf7533bb4aa7296 (patch)
tree6bc9eedadb86d8c1000c41642f35d9c2e8312f18 /projects/wolfssl_options.h
parentd5fc6e14b0b4f240b3b225487637c265471a9fc7 (diff)
downloadcurl-27c99a37ba55a78e3227c7058cf7533bb4aa7296.tar.gz
build-wolfssl: Allow a broader range of ciphers (Visual Studio)
This is an update to the build-time options used to build wolfSSL in Visual Studio for greater compatibility, and make it behave similar to the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers and SSLv3 are disabled by default at build time, but we can use both. - Enable static cipher suites TLS_ECDH_ and TLS_RSA_. - Enable SSLv3 hello. Though in libcurl we disable it by default at runtime, we make it available so the user can manually select it if necessary.
Diffstat (limited to 'projects/wolfssl_options.h')
-rw-r--r--projects/wolfssl_options.h93
1 files changed, 67 insertions, 26 deletions
diff --git a/projects/wolfssl_options.h b/projects/wolfssl_options.h
index 40c34e5d7..b668daaf5 100644
--- a/projects/wolfssl_options.h
+++ b/projects/wolfssl_options.h
@@ -5,27 +5,42 @@ To remedy this issue for libcurl I've generated this options file that
build-wolfssl will copy to the wolfSSL include directories and will result in
maximum compatibility.
-These configure flags were used in MinGW to generate the options in this file:
-
---enable-opensslextra
---enable-aesgcm
---enable-ripemd
---enable-sha512
---enable-dh
---enable-dsa
---enable-ecc
---enable-sni
---enable-fastmath
---enable-sessioncerts
---enable-certgen
---enable-testcert
---enable-alpn
-C_EXTRA_FLAGS="-DFP_MAX_BITS=16384 -DTFM_TIMING_RESISTANT"
+These are the configure options that were used to build wolfSSL v3.9.0 in mingw
+and generate the options in this file:
+
+C_EXTRA_FLAGS="\
+ -Wno-attributes \
+ -Wno-unused-but-set-variable \
+ -DFP_MAX_BITS=16384 \
+ -DTFM_TIMING_RESISTANT \
+ -DWOLFSSL_STATIC_DH \
+ -DWOLFSSL_STATIC_RSA \
+ " \
+./configure --prefix=/usr/local \
+ --enable-aesgcm \
+ --enable-alpn \
+ --enable-certgen \
+ --enable-dh \
+ --enable-dsa \
+ --enable-ecc \
+ --enable-fastmath \
+ --enable-opensslextra \
+ --enable-ripemd \
+ --enable-sessioncerts \
+ --enable-sha512 \
+ --enable-sni \
+ --enable-sslv3 \
+ --enable-testcert \
+ > config.out 2>&1
Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
-are inapplicable for our Visual Studio build.
+are inapplicable for our Visual Studio build. Currently thread local storage is
+only used by the Fixed Point cache ECC which we're not enabling. However even
+if we later may decide to enable the cache it will fallback on mutexes when
+thread local storage is not available. wolfSSL is using __declspec(thread) to
+create the thread local storage and that could be a problem for LoadLibrary.
-Regarding the two options that were added via C_EXTRA_FLAGS:
+Regarding the options that were added via C_EXTRA_FLAGS:
FP_MAX_BITS=16384
http://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html
@@ -38,6 +53,11 @@ https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
From section 2.4.5 Increasing Performance, USE_FAST_MATH:
"Because the stack memory usage can be larger when using fastmath, we recommend
defining TFM_TIMING_RESISTANT as well when using this option."
+
+WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers
+WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers
+https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
+Static key cipher suites are deprecated and disabled by default since v3.6.6.
*/
/* wolfssl options.h
@@ -49,7 +69,9 @@ defining TFM_TIMING_RESISTANT as well when using this option."
*
*/
-#pragma once
+#ifndef WOLFSSL_OPTIONS_H
+#define WOLFSSL_OPTIONS_H
+
#ifdef __cplusplus
extern "C" {
@@ -61,6 +83,12 @@ extern "C" {
#undef TFM_TIMING_RESISTANT
#define TFM_TIMING_RESISTANT
+#undef WOLFSSL_STATIC_DH
+#define WOLFSSL_STATIC_DH
+
+#undef WOLFSSL_STATIC_RSA
+#define WOLFSSL_STATIC_RSA
+
#undef OPENSSL_EXTRA
#define OPENSSL_EXTRA
@@ -91,15 +119,12 @@ extern "C" {
#undef ECC_SHAMIR
#define ECC_SHAMIR
-#undef NO_PSK
-#define NO_PSK
+#undef WOLFSSL_ALLOW_SSLV3
+#define WOLFSSL_ALLOW_SSLV3
#undef NO_RC4
#define NO_RC4
-#undef NO_MD4
-#define NO_MD4
-
#undef NO_HC128
#define NO_HC128
@@ -124,16 +149,32 @@ extern "C" {
#undef HAVE_SNI
#define HAVE_SNI
+#undef HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
+#undef HAVE_ALPN
+#define HAVE_ALPN
+
+#undef HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
#undef WOLFSSL_TEST_CERT
#define WOLFSSL_TEST_CERT
+#undef NO_PSK
+#define NO_PSK
+
+#undef NO_MD4
+#define NO_MD4
+
#undef USE_FAST_MATH
#define USE_FAST_MATH
-#undef HAVE_ALPN
-#define HAVE_ALPN
#ifdef __cplusplus
}
#endif
+
+#endif /* WOLFSSL_OPTIONS_H */
+